If you’re running a small business, your customers want you to take credit cards.
That means you have to keep their credit card and personal information safe. Following small business PCI compliance standards is the best way to protect your customer data and avoid any fees associated with PCI compliance violations.
Security, compliance, credit card fraud—this is the part of your retail business that is about as fun as cold water, but if you want to accept credit cards as a payment method, you need to be PCI compliant.
So, what is PCI Compliance? Why is it important? And how can you make sure you’re processing credit card transactions and collecting payment data securely? This guide will walk you through the basics of PCI compliance so that you have a clear understanding of what it is, the importance of compliance and the consequences of non-compliance.
- What is PCI Compliance?
- Does my business need to be PCI compliant?
- Which PCI level applies to my business?
- What are PCI requirements?
- Why does PCI DSS and security matter?
- What happens if my business is not PCI compliant?
- How can my business meet PCI standards?
What is PCI compliance?
By definition, PCI (short for PCI DSS) Compliance, stands for Payment Card Industry Data Security Standard. It is a set of security standards designed to ensure that all companies that accept, process, store or transmit credit card information maintain a secure environment to protect both the consumer and the merchant.
When you take a customer’s credit card, you receive a great deal of sensitive data. The PCI SSC (Payment Card Industry Security Standard Council) was founded by major card brands (like MasterCard, Visa, JCB and Discover) to develop and manage security in the payment card industry.
The PCI DSS outlines minimum requirements for:
- Policies and procedures
- Security management
- Network architecture
- Software devices
- Other critical protective measures
Does my business need to be PCI compliant?
Yes. Any merchant, regardless of volume or size of business, who accepts credit cards as a form of payment or processes, transmits or stores cardholder data must comply with all aspects of the PCI DSS standards.
If you accept credit or debit cards, small business PCI compliance is a must regardless of the size of your business. You must comply with all applicable standards even if you only process one credit card transaction per year.
If your business has multiple locations with separate tax ID numbers, you’ll need to validate PCI compliance at each individual location. If all of your locations operate under one tax ID, typically you are only required to validate PCI compliance annually for all locations. When applicable, you may also need to pass network scans for each location on a quarterly basis.
Which PCI level applies to my business?
For merchants, determining the level of PCI compliance required can be tricky and often depends on how many payment card transactions you handle each year, as well as the credit issuer.
- Any merchant processing more than 6 million MasterCard or Visa transactions per year, regardless of channel
- A merchant who has been a victim of a hack that resulted in data compromise
- Any merchant determined as level 1 by a card brand
- Any merchant processing 1 to 6 million MasterCard or Visa transactions per year
- Any merchant processing 20 thousand to 1 million MasterCard or Visa eCommerce transactions
- Any merchant regardless of acceptance channel (card present, card-not-present, etc.)
If your business falls within any of these four levels, we recommend you contact the PCI council to validate your compliance.
To stay up to date on PCI compliance information for individual credit issuers, click on the appropriate payment card brand below:
What are PCI requirements?
The requirements you must meet for small business PCI compliance include the following.
Your point of sale must be up to date
You must use credit card terminals and PIN pads that are current and compliant with PCI Data Security Standard (DSS).
Your point of sale (POS) and payment gateway software must be PCI-compliant and validated.
Your wireless router must be encrypted and password protected.
You must check your PIN pads and any other PIN entry devices to make sure that skimmers haven’t been installed.
Skimmers are devices that criminals attach to PIN pads to capture credit card information when a card is swiped or entered, and they can take many forms. Also, check your computers for any rogue software or executable files.
You must not store any cardholder data in any way
This includes everything from storing it on a computer to jotting down a credit card number on a scrap of paper. If your credit card terminal and PIN pad are PCI-compliant, they are programmed to make sure you remain compliant with this requirement automatically.
You must use strong passwords
To do this, you should change any default passwords immediately and require your staff to change passwords on a regular basis. Consider using a password generator to create strong passwords.
You must train your employees about small business PCI compliance
There are online courses and videos to help you.
You must install firewalls on your computers and your internal network
Your computer’s operating system probably already has a firewall as part of its security software, but check to make sure it’s operating properly.
Why does PCI DSS and security matter?
Have you ever had your personal credit card defrauded? PCI standards are designed to help protect all participants in the card ecosystem from this very problem.
When theft or a breach of cardholder data occurs, cardholders lose trust in their financial institutions as well as the merchants with whom they do business. There is also the possibility of large negative financial impact for you and your customers.
What happens if my business is not PCI compliant?
Failure to comply with the PCI DSS regulations can result in penalties and fees.
Non-compliance penalties, which payment brands can adjust at their discretion, range from £3,000 to £60,000 in fines. You may also lose your right to process credit card transactions.
In the event of a breach or hack, the merchant may be subject to the following:
- Fines from the card associations
- Forensic investigation
- Issuing banks may recoup reissuing costs form the merchant (including possible fraud loss and fraud monitoring expenses)
- Government fines
- Damage to your brand and reputation
Establishing a PCI compliance plan and updating it regularly can help prevent data breaches, keep your costs down and maintain your customers’ trust and loyalty.
How can my business meet PCI standards?
In order to meet the PCI requirements, each merchant has to go through a series of steps.
Compliance validation for merchants from level 2, 3 and 4 is completed via a yearly Self-Assessment Questionnaire (SAQ). If applicable, quarterly network vulnerability scans may also be conducted by an approved scanning vendor (ASV).
Level 1 merchants must undergo a more rigorous compliance validation, while Levels 2, 3 and 4 merchants do not need to undergo external validation and are at the discretion of the acquiring bank.
Make sure to always keep all validation documentation readily available.
Depending on a merchant’s classification or risk level (determined by the individual payment card brands or your PCI level), the steps to follow are:
- PCI DSS Scoping. Determine which system components and networks are in scope for PCI DSS for your business.
- Assessment. Examine the compliance of system components in scope following the testing procedures for each PCI DSS requirement (the relevant SAQ can be used as a guide).
- Reporting. The assessor or entity submits required documentation, like the Self-Assessment Questionnaire (SAQ) or Report on Compliance (ROC), including documentation of all compensating controls.
- Clarifications. The assessor or entity clarifies or updates report statements (if applicable) upon request of the acquiring bank or payment card brand.
Make your life easier with a PCI-compliant POS
While it is still crucial for every merchant to understand why PCI DSS is so important, all Lightspeed Payments hardware and software (soon to be available in the UK) are already PCI Level 1 certified.
We provide only PCI-compliant hardware and software and maintain a PCI-compliant platform, and our integrated payment system provides end-to-end encryption for every transaction, tokenising data the second it reaches our servers.
Chat with us to learn more about Lightspeed’s technical approach to security.
Editor’s note: Nothing in this blog post should be construed as advice of any kind. Any legal, financial or tax-related content is provided for informational purposes only and is not a substitute for obtaining advice from a qualified legal or accounting professional. Where available, we have indicated the first-hand sources of the information contained in this blog post. While we strive to provide accurate content, we cannot be held responsible for any actions or omissions based on such content. Lightspeed does not undertake to complete further verifications or keep this blog post updated over time.